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FD-1057 (Rev. 5-8-10) 
UNCLASSIFIED 


FEDERAL BUREAU OF INVESTIGATION 


Electronic Communication 


Title: (U) Place Holder For FBI Liaison Alert Date: 08/19/2016 
System (FLASH) Message: ав b7E 
AUG 2016. 


CC: DM-NIP2 (UC) 


From: CYBER 


DM-CYW 

contact: | | J 855-292-3937 з 
b6 
b7C 


Approved By: А/С. ^ sd ЬТЕ 
Саѕе Ір З 7 FBI Liaison Alert System (FLASH) 


Messages 
Synopsis: (U) The purpose of this EC is to document the place holder 
for FBI Liaison Alert System (FLASH) Message: ГГ |] b7E 


Details: 


(U) On 18 AUG 2016, CyWatch was advised the Cyber Division Mission 
Critical Engagement Unit (MCEU) coordinated the limited dissemination 


of FBI Liaison Alert System (FLASH) Message: | b7E 


(U) Please direct any questions or requests from third parties to 
obtain a copy of ]to the Mission Critical Engagement Unit b7E 
(MCEU). 
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Import Form 


FD-1036 (Rev. 10-16-2009) 


Form Type: EMAIL Date: 10/14/2016 


Title:(U) FBI Liaison Alert System (FLASH) Message: | 14 


OCTOBER 2016 


b6 
b7C 


Case ID af) FBI Liaison Alert System (FLASH) 


Messages 


Synopsis: (U/ емо) On behalf of ET usa disseminated FBI 


Liaison Alert System (FLASH) Message: on 14 OCTOBER 2016. b7E 


Enclosure(s): Enclosed are the following items: 
1. (0) b7E 
2% (U) FLASH - 


++ 


UNCLASSIFIED//FeuUG. 


14 October 2016 


Alert Number 


М 
If you find any of 
these indicators on 
your networks, or 
have related 
information, please 
contact 
FBI CYWATCH 
immediately. 
Email: 


cywatcheic.fbi.gov 


Phone: 
1-855-292-3937 


*Note: By reporting any 
related information to ЕВ! 


CyWatch, you are assisting in 


sharing information that 
allows the FBI to track 
malicious actors and 
coordinate with private 


industry and the United States 
Government to prevent future 


intrusions and attacks. 


In furtherance of public-private partnerships, the FBI routinely advises private 

industry of various cyber threat indicators observed during the course of our 

investigations. This data is provided in order to help cyber security professionals 

and system administrators to guard against the persistent malicious actions of 

cyber criminals. b7E 


This FLASH has been released Tib: ANSIEN: The information т this product is only 
for members of their own organization and those with DIRECT NEED TO KNOW. 
This information is NOT to be forwarded on beyond NEED TO KNOW recipients. 


Additional Indicators Related to Threats to 
Federal, State, and Local Government Systems 


b7E 


Attached with this FLASH is one attachment: 


b7E 


Information in this product is for official use only. No portion of this FLASH should be released to the media or the 

general public. Organizations shouldnotattemptt| ^ ^ ^ ^ 1] COT 
this FLASH. The indicators are being provided for network defense purposes only and any activity to these indicators 

or release of this material could adversely affect investigative activities. 


Reporting Notice 


The FBI encourages recipients who identify the use of tool(s) or techniques discussed in this document to report 
information to their local FBI Field Office or the FBI’s 24/7 Cyber Watch (CyWatch). Field Office contacts can be 
identified at www.fbi.gov/contact-us/field. CyWatch can be contacted by phone at 855-292-3937 or by e-mail at 
CyWatch@ic.fbi.gov. When available, each report submitted should include: the date; time; location; type of activity; 
number of infected users; type of equipment used for the activity; name of the submitting company or organization; 
and a designated point of contact. 


(IMD) (CON) з 


From: CYWATCH 

Sent: Friday, October 14, 2016 6:50 PM 

Cc: CYWATCH 

Subject: FBI Liaison Alert System (FLASH) Message b7E 
Attachments: 


Categories: Red Category, Complete 


ALCON - 


This report is an update to the FLASH released on 18 August, 2016, Alert Number b7E 


organization and those with DIRECT NEED TO KNOW. This information is NOT to be forwarded on beyond NEED TO 
KNOW recipients. 


Respectfully, 


cywatch [ — ] be 
855-292-3937 b7c 
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Title:(U) FBI Liaison Alert System (FLASH) Message:[ | 17 b3 
b6 


NOVEMBER 2016 


b7C 
b7E 
Case ID #: [uy FBI Liaison Alert System (FLASH) 
Messages 
Synopsis:  (U//FOUO) On behalf of ECOU II, CyWatch disseminated FBI 
Liaison Alert System (FLASH) Message:|[[ | ] 17 NOVEMBER 2016 b7E 
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UNCLASSIFIED//ESUS 


17 NOV 2016 


Alert Number 


these indicators on 
your networks, or 
have related 


information, please 


contact 
FBI CYWATCH 
immediately. 

E-mail: 


cywatchg?ic.fbi.gov 


Phone: 
1-855-292-3937 


*Note: By reporting any 
related information to ЕВ! 


CyWatch, you are assisting 
in sharing information that 


allows the FBI to track 
malicious actors and 

coordinate with private 

industry and the United 
States Government to 


prevent future intrusions and 


attacks. 


In furtherance of public-private partnerships, the FBI routinely advises 

private industry of various cyber threat indicators observed during the 

course of our investigations. This data is provided in order to help cyber 

security professionals and system administrators to guard against the 

persistent malicious actions of cyber criminals. b7E 


This FLASH has been released “ЎЎ N: The information in this product 
is useful for the awareness of all participating organizations within their 
sector or community, but not via publicly accessible channels. 


b7E 
Summary 

b7E 
Technical Details 

b7E 


The information in this FLASH was obtained through an ЕНІ investigation and is provided in conjunction with 
the FRI’s statutory requirement to conduct victim notification as outlined in 42 USC 5 10607 


b7E 


b7E 
b7E 
b7E 
Rules and Signatures 
The following rules and signatures are provided for network defense 
purposes and are also included in an attached STIX file. 
YARA RULES: 
b7E 


The information in this FLASH was obtained through an ЕНІ investigation and is provided in conjunction with 
the FB's statutory requirement to conduct victim notification as outlined in 42 USC 5 10607 


b7E 


mE | 
mE | 
The information in this FLASH was obtained through an ЕНІ investigation and is provided in conjunction with 
the FRI’s statutory requirement to conduct victim notification as outlined in 42 USC 5 10607 


b7E 


b7E 
SNORT SIGNATURES 
/* These rules are medium fidelity and have not been thoroughly tested. 
Please test in your environment before deploying and provide feedback so 
that we may improve the quality if necessary. */ 
b7E 


The information in this FLASH was obtained through an ЕНІ investigation and is provided in conjunction with 
the FRI’s statutory requirement to conduct victim notification as outlined in 42 USC 5 10607 


b7E 


b7E 


OTHER SIGNATURES 


b7E 


b7E 


Recommended Mitigations 
b7E 


The information in this FLASH was obtained through an ЕНІ investigation and is provided in conjunction with 
the FB's statutory requirement to conduct victim notification as outlined in 42 USC 5 10607 


Reporting Notice 


The FBI encourages recipients of this document to report information 
concerning suspicious or criminal activity to their local FBI field office or 
the FBI’s 24/7 Cyber Watch (CyWatch). Field office contacts can be 
identified at www.fhi.gov/contact-us/fieid. CyWatch сап be contacted by 
phone at 855-292-3937 or by e-mail at Cy\Watchi@ic foi. gov. When 
available, each report submitted should include the date, time, location, 
type of activity, number of people, and type of equipment used for the 
activity, the name of the submitting company or organization, and a 
designated point of contact. Press inquiries should be directed to the FBI’s 
National Press Office at npo@ic.fbi.gov or (202) 324-3691. 


Administrative Note 


This product is marked ?i?: GREEN. The information in this product is useful 
for the awareness of all participating organizations as well as with peers 
within the broader community or sector. Recipients may share this 
information with peers and partner organizations within their sector or 
community, but not via publicly accessible channels. No portion of this 
product should be released to the media, posted to public-facing Internet 
Web sites, or transmitted over non-secure, external communications 
channels. 


The information in this FLASH was obtained through an ЕНІ investigation and is provided in conjunction with 
the FRI’s statutory requirement to conduct victim notification as outlined in 42 USC 5 10607 


b7E 


b7E 


b7E 


b7E 
MEM | 
b7E 


The information in this FLASH was obtained through an ЕНІ investigation and is provided in conjunction with 
the FRI’s statutory requirement to conduct victim notification as outlined in 42 USC 5 10607 


The information in this FLASH was obtained through an ЕНІ investigation and is provided in conjunction with 
the FRI’s statutory requirement to conduct victim notification as outlined in 42 USC 5 10607 


[————— ы 
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Import Form 


FD-1036 (Rev. 10-16-2009) 


Form Type: EMAIL Date: 11/23/2016 
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Approved By: < [о * 
рр У 56 


b7C 


Case ID d: (іш FBI Liaison Alert System (FLASH) 


Messages 


Synopsis: U On behalf of ESU, CyWatch disseminatea| | | | БТЕ 
23 NOVEMBER 2016. 


Епс1оѕиге (5): Enclosed are the following items: 


** 


UNCLASSIFIED//PeuG. 


National Press Office 


‘Tis the Season for Holiday Scams: 
How to Protect Yourself 


Talking Points 
Updated 11/23/2016 


With the holidays ramping up and seasonal shopping in full swing, criminals are also gearing up for a 
busy season. Cyber criminals don't take the holidays off. In fact, they're especially busy trying to steal 
your money and personal information. Shoppers should be more vigilant than ever for scams designed 
to steal their money and personal information. Though criminals are often aggressive and creative in 
their efforts to obtain such money and personal information, there are certain red flags and common 
schemes holiday shoppers can guard against this holiday season. 


Online Shopping Scams 


if a deal looks too good to be true, it probably is. Scammers often scheme to defraud consumers by 
offering too-good-to-be-true deals via phishing e-mails or advertisements. Such schemes may offer 
brand name merchandise at extremely low discounts or promise gift cards as an incentive to purchase a 
product. Other sites may offer products at a great price, but the products being sold are not the same as 
the products advertised. 


Steer clear of un-trusted sites or ads offering items at unrealistic discounts or with special coupons. You 
may end up paying for an item, giving away personal information and credit card details, and then 
receive nothing in return except a compromised identity. п addition, do not open any unsolicited e-mails 
and do not click on any links provided. 


in addition to securing your banking and credit accounts with strong and different passwords, secure all 
your other accounts that contain anything of value, such as: rewards accounts, online accounts that save 
your payment information, or accounts containing your private, personal information. 


The emergence and prevalence of secondary markets for airline miles, gift cards, rewards credits, and 
the like have inadvertently increased the demand for, and resale value of, your stolen information. 


Be vigilant when receiving items purchased from online auctions and third-party marketplaces. If an item 
arrives from some other online merchant, it may have been purchased using a stolen credit card number 
or stolen rewards points, etc. and then shipped directly to you. Report such cases to both the 
marketplace where you bought and the merchant who sent it. 


Social Media Scams 


Beware of posts on social media sites that appear to offer vouchers or gift cards, especially deals that 
are too good to be true, such as a free $500 gift card. Some may pose as holiday.promotions or 
contests. It may even appear one of your friends shared the link with you. Often, these scams lead you 
to participate in an online survey that is actually designed to steal personal information. 


In addition, if you purchase or receive theater, concerts, or sporting event tickets as a holiday gift, do not 
post pictures of the tickets on social media sites. Fraudsters can create a ticket using the barcode 
obtained from the photo and reseil the ticket. Protect ticket barcodes as you would your credit card 
number, and never display them on social media. 


Smartphone App Scams 


Be careful when downloading mobile applications. Some apps, often disguised as games and offered for 
free, may be designed to steal personal information. Before downloading an app from an unknown 
source, research the company selling it or giving it away, and look online for third-party reviews of the 
product. Also, ре mindful that alternative app marketplaces available to “jailbroken or "rooted" devices 
can potentially include copyright-infringing, stolen content and compromised versions of otherwise 
trustworthy applications. 


Work-From-Home Scams 


If you are in need of extra cash this time of year, beware of sites and postings offering work you can do 
from the comfort of your own home. These opportunities rely on convenience as a selling point for 
applicants, but often have unscrupulous motivations behind them. You should carefully research the job 
posting and individuals or company offering you employment. 


Protect Yourself 


Here are some additional steps you can take to avoid becoming a victim of cyber fraud this holiday 
season: 


е Check your credit card statement routinely. If possible, set up credit card transaction auto alerts, 
or check your balance after every online purchase to ensure the proper amount was charged to 
your account. It is important to keep checking your card after the holiday season, as many 
fraudulent charges can show up even several weeks later. 


e purchasing merchandise, ensure it is from a reputable source. 


s Ensure a site is secure and reputable before providing your credit card number online. Don't trust 
a site just because it claims to be secure. 


e Do your research to ensure legitimacy of the individual or company you are purchasing from. 
s Beware of providing credit card information when requested through unsolicited e-mails. 

е Donotrespond to unsolicited (spam) e-mails. 

e Do not click on links contained within an unsolicited e-mail. 

e Avoid filling out forms contained in e-mail messages that ask for personal information. 


e Ве cautious of e-mails claiming to contain pictures in attached files, as the files may contain 
viruses. Only open attachments from known senders. Scan the attachments for viruses if 
possible. 


е Verify any requests for personal information from any business or financial institution by 
contacting them using the main contact information on their official website. 


° Secure your credit card accounts, even rewards account, with strong passwords, change 
passwords and check your account routinely. 


e Be wary when replying to unsolicited e-mails for work-at-home employment. 
з Ве cautious of exaggerated claims of possible earnings or. profits: 


з». Beware when money is required up front for instructions or products for employment. 


е Do not give out your personal information when first interacting with a prospective employer. 
e Be leery when a job posting claims “no experience necessary." 
е Be cautious when dealing with individuals outside of your own country. 


Who To Contact if You Suspect You've Been Victimized: 


e Contact your financial institution immediately upon suspecting or discovering a fraudulent 
transfer. 


e Contact law enforcement. 


e Request that your bank reach out to the financial institution where the fraudulent transfer was 
sent. 


e File a complaint with the ЕВР Internet Crime Complaint Center at www.1C3.gov, regardless of 
dollar loss. Provide all relevant information in your complaint. 


(IMD) (CON) b6 
b7C 


From: CYWATCH 

Sent: Wednesday, November 23, 2016 2:52 PM 

To: HQ-DIV16-FIELD-CYBER-SSA; HQ-DIV16-FIELD-CYBER-ASAC 

сс: Е crap ^ i jeo es ^ Сүр) (FB; be 
INSD) (FBI); HQ-DIV16-ESU b7C 

Subject: B/E 

Attachments: 

Categories: Complete 


_ о 


All, 
b7E 


Respectfully, 


Cyber Division Executive Staff 


[— — — — — —] : 
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Title:(U) FBI Liaison Alert System (FLASH) Message:| | 07 
MARCH 2017 
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Case ID #:[ у) FBI Liaison Alert System (FLASH) 


Messages 


Synopsis: (0/02955\. On behalf of MCCIU2 CyWatch disseminated FBI 


Liaison Alert System (FLASH) Message:[ | | | ]o7 МАВСН 2017 ЬТЕ 


** 
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| lamp) (CON) m 


From: CYWATCH 
Sent: Tuesday, March 07, 2017 10:16 AM 
Cc: CYWATCH 


Subject: FBI Liaison Alert System (FLASH LP: AMBER b7E 
Attachments: 


ALCON, 


Please see the attached FBI Liaison Alert System (FLASH b7E 


b7E 


This product is marked 712: АМЗЕВ. Recipients may only share this information with partners who need to know, and 
only as widely as necessary to act on that information. 


Respectfully, 


CyWatch[ 1 b6 
855-292-3937 b7C 


ы 
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Import Form 


FD-1036 (Rev. 10-16-2009) 


Form Type: EMAIL Date: 03/07/2017 


FBI Liaison Alert System (FLASH) Message: 
07 MARCH 2017 
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Case ID О) FBI Liaison Alert System (FLASH) 


ті 
С) 


Title: (U) UPDATE 


Messages 
Synopsis: (U/ Ренб) On behalf of MCCIU2 CyWatch disseminated an 
UPDATED FBI Liaison Alert System (FLASH) Message:[ | 07 Ь7Е 
MARCH 2017 
%% 


UNCLASSIFIED//EOUO 


| lamp) (CON) шай 


Егот: СУМАТСН 

Sent: Tuesday, March 07, 2017 5:28 PM 

Cc: CYWATCH 

Subject: UPDATED FBI Liaison Alert System (FLAS [ — pe AMBER БТЕ 
Categories: Complete 


SN 


ALCON, 

Please see the attached UPDATED FBI Liaison Alert System mas | b7E 
b7E 

This product is marked ТЇР: АМ'ЕЕК. Recipients may only share this information with partners who need to know, and 


only as widely as necessary to act on that information. 
Respectfully, 


сума] b6 


855-292-3937 b7C 
b7E 


[— — ——— —7] ыз 
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Case ID #: (U) FBI Liaison Alert System (FLASH) 
Messages 


Synopsis: (U/ ыва On behalf of MCCIU2 CyWatch disseminated FBI 
Liaison Alert System (FLASH) Message: |] 28 MARCH 2017 b7E 


%% 


UNCLASSIFIED/ 55530) 


| lamp) (CON) аа 


Егот: CYWATCH 

Sent: Tuesday, March 28, 2017 12:17 PM 

Cc: CYWATCH 

Subject: FBI Liaison Alert System (FLASH b7E 
Attachments: 


ALCON, 


Please see the attached FBI Liaison Alert System ін| O O b7E 


b7E 


This product is marked 212: АМ'ВЕК. Recipients may only share this information with partners who need to know, and 
only as widely as necessary to act on that information. 


Respectfully, 


CyWatch[ — | b6 
1-855-292-3937 b7C 
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Case ID #: (U) FBI Liaison Alert System (FLASH) 
Messages 


Synopsis: (0/ /Ee«) On behalf of MCCIU2 — disseminated FBI 


Liaison Alert System (FLASH) Message: , 13 MAY 2017 b7E 


Enclosure(s): Enclosed are the following items: 


1. (U) b7E 
2. (U) 
** 
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ERRA 
A 


This document is o U.S. 

Government interagency 

technical guidance document 

aimed to inform Chief Information 

Officers and Chief Information 

Security Officers at critical infrastructure 
entities, including small, medium, and large 
organizations. This document provides an 
aggregate of already existing Federal 
government and private indusiry best practices 
and mitigation strategies focused on the prevention 
and response to ransomware incidents. 


КАКАЯ 


Protecting Your 
Networks from 
Ransomware 


Ransomware is the fastest growing malware threat, targeting users 
of all types—from the home user to the corporate network. On 
average, more than 4,000 ransomware attacks have occurred daily 
since January 1, 2016. This is a 300-percent increase over the 
approximately 1,000 attacks per day seen in 2015. There are very 
effective prevention and response actions that can significantly 
mitigate the risk posed to your organization. 


Ransomware targets home users, businesses, and 
government networks and can lead to temporary or 
permanent loss of sensitive or proprietary information, 
disruption to regular operations, financial losses incurred to 
restore systems and files, and potential harm to an 
organization's reputation. 


Ransomware may direct a user to click on a link to pay a 
ransom; however, the link may be malicious and could lead to 
additional malware infections. Some ransomware variants 
display intimidating messages, such as: 


"Your computer was used to visit websites with 
illegal content. To unlock your computer, you must 
pay a $100 fine." 


"You only have 96 hours to submit the payment. If 
you do not send money within provided time, all 
your files will be permanently encrypted and no one 
will be able to recover them." 


Mende Арақ ме Мом сео < Semen Dame INIM S IIS In 
Spese Wace Модур s sam ЎЎ PU 
РОСЛА YOur NSiworks HODPMSUOSODRVAUN 


2... 

Ransomworee 
Ransomware is a form of 
malware ihal targets your 
critical data and systems Tor 
the purpose of ван. 
Ransomware is freguentiv 
delivered through 
spearphishing emails. After 
the user has been locked 
out of ihe data or system, 
ihe cyber actor demands а 
ransom payment After = 
receiving payment, th 
cyber actor will pur 
provide an aveni 
victim to regain acce: 
ihe system or data Hec 
üerations target enterprise 
end users, making 
awareness and trainina a 
critical preventive measure. 


г Маха Hom Ransomware 


КАКАЯ 


Fducate Your Personnel 


Attackers often enter the organization by tricking a user to disclose a password or click on a 
virus-laden email attachment. 


Remind employees to never click unsolicited links or open unsolicited attachments in emails. 
To improve workforce awareness, the internal security team may test the training of an 
organization's workforce with simulated phishing emails’. 


Prevention is the most effective defense against ransomware and it is critical to take 
precautions for protection. Infections can be devastating to an individual or organization, and 
recovery may be a difficult process requiring the services of a reputable data recovery 
specialist. 


The U.S. Government (USG) recommends that users and administrators take the following 
preventive measures to protect their computer networks from falling victim to a ransomware 
infection: 


Preventivo Mecsures 


e Implement an awareness and training program. Because end users are targets, 
employees and individuals should be aware of the threat of ransomware and how it is 
delivered. 

e Enable strong spam filters to prevent phishing emails from reaching the end users and 
authenticate inbound email using technologies like Sender Policy Framework (SPF), 
Domain Message Authentication Reporting and Conformance (DMARC), and 
DomainKeys Identified Mail (ОКМ) to prevent email spoofing. 

e Scan all incoming and outgoing emails to detect threats and filter executable files from 
reaching end users. 

e Configure firewalls to block access to known malicious IP addresses. 

e Patch operating systems, software, and firmware on devices. Consider using a 
centralized patch management system. 

е Set anti-virus and anti-malware programs to conduct regular scans automatically. 

e Manage the use of privileged accounts based on the principle of least privilege: no 
users should be assigned administrative access unless absolutely needed; and those 
with a need for administrator accounts should only use them when necessary. 


! For additional information on Avoiding Social Engineering and о Attacks, please see US-CERT Security 
Tip (ST04-014), available at: 5: 


Configure access controls—including file, directory, and network share permissions— 
with least privilege in mind. If a user only needs to read specific files, the user should 
not have write access to those files, directories, or shares. 

Disable macro scripts from office files transmitted via email. Consider using Office 
Viewer software to open Microsoft Office files transmitted via email instead of full office 
suite applications. 

Implement Software Restriction Policies (SRP) or other controls to prevent programs 
from executing from common ransomware locations, such as temporary folders 
supporting popular Internet browsers or compression/decompression programs, 
including the AppData/LocalAppData folder. 

Consider disabling Remote Desktop protocol (RDP) if it is not being used. 

Use application whitelisting, which only allows systems to execute programs known and 
permitted by security policy. 

Execute operating system environments or specific programs in a virtualized 
environment. 

Categorize data based on organizational value and implement physical and logical 
separation of networks and data for different organizational units. 


Business Continuity Considerations 


Back up data regularly. Verify the integrity of those backups and test the restoration 
process to ensure it is working. 

Conduct an annual penetration test and vulnerability assessment. 

Secure your backups. Ensure backups are not connected permanently to the computers 
and networks they are backing up. Examples are securing backups in the cloud or 
physically storing backups offline. Some instances of ransomware have the capability to 
lock cloud-based backups when systems continuously back up in real time, also known 
as persistent synchronization. Backups are critical in ransomware recovery and 
response; if you are infected, a backup may be the best way to recover your critical 
data. 


Should preventive measures fail, the USG recommends that organizations consider taking the 
following steps upon an infection with ransomware: 


Isolate the infected computer immediately. Infected systems should be removed 
from the network as soon as possible to prevent ransomware from attacking network or 
share drives. 


Isolate or power-off affected devices that have not yet been completely corrupted. 
This may afford more time to clean and recover data, contain damage, and prevent 
worsening conditions. 


e Immediately secure backup data or systems by taking them offline. Ensure 
backups are free of malware. 


e Contact law enforcement immediately. We strongly encourage you to contact a local 
field office of the Federal Bureau of Investigation (ЕВ!) or U.S. Secret Service 
immediately upon discovery to report a ransomware event and request assistance. 


e If available, collect and secure partial portions of the ransomed data that might 
exist. 


e If possible, change all online account passwords and network passwords after 
removing the system from the network. Furthermore, change all system passwords 
once the malware is removed from the system. 


e Delete Registry values and files to stop the program from loading. 


Implement your security incident response and business continuity plan. Ideally, 
organizations will ensure they have appropriate backups, so their response to an attack will 
simply be to restore the data from a known clean backup. Having a data backup can eliminate 
the need to pay a ransom to recover data. 


There are serious risks to consider before paying the ransom. USG does not encourage 
paying a ransom to criminal actors. However, after systems have been compromised, whether 
to pay a ransom is a serious decision, requiring the evaluation of all options to protect 
shareholders, employees, and customers. Victims will want to evaluate the technical feasibility, 
timeliness, and cost of restarting systems from backup. Ransomware victims may also wish to 
consider the following factors: 


e Paying a ransom does not guarantee an organization will regain access to their data; in 
fact, some individuals or organizations were never provided with decryption keys after 
paying a ransom. 


e Some victims who paid the demand were targeted again by cyber actors. 


e After paying the originally demanded ransom, some victims were asked to pay more to 
get the promised decryption key. 


e Paying could inadvertently encourage this criminal business model. 


AS г e 5 š `` Td i 
ая ev Po. Ў € oy pA eN PN Ў Ў eyey Ad ex fy 
КА ГАЯ PPP Pe Sh PPT OA о Messi 
PIAS ЎЎ LONG ЎЎ ш- PP Ae AA Xess Wu Я Ў 1 АНА 


Any entity infected with ransomware should contact law enforcement immediately. Law 
enforcement may be able to use legal authorities and tools that are unavailable to most 
organizations. Law enforcement can enlist the assistance of international law enforcement 
partners to locate the stolen or encrypted data or identify the perpetrator. These tools and 
relationships can greatly increase the odds of successfully apprehending the criminal, thereby 
preventing future losses. 
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Federal law enforcement places a priority on conducting cyber investigations in a manner that 
causes minor disruption to a victim entity s normal operations and seeks to work cooperatively 
and discreetly with that entity. Federal law enforcement uses investigative measures that avoid 
unnecessary downtime or displacement of a company's employees. Federal law enforcement 
closely coordinates its activities with the affected organization to avoid unwarranted disclosure 
of information. 


As an affected entity recovers from a cybersecurity incident, the entity should initiate measures 
to prevent similar incidents. Law enforcement agencies and the Department of Homeland 
Security's National Cybersecurity and Communications Integration Center can assist 
organizations in implementing countermeasures and provide information and best practices for 
avoiding similar incidents in the future. Additionally, the affected organization should conduct a 
post-incident review of their response to the incident and assess the strengths and 
weaknesses of its incident response plan. 


Ransomware is a growing criminal activity involving numerous variants. Since 2012 when 
police locker ransomware variants first emerged, ransomware variants have become more 
sophisticated and destructive. Some variants encrypt not just the files on the infected device, 
but also the contents of shared or networked drives, externally attached storage media 
devices, and cloud storage services that are mapped to infected computers. These variants 
are considered destructive because they encrypt users' and organizations' files, and render 
those files useless until a ransom is paid. 


Recent federal investigations by the FBI reveal that ransomware authors continue to improve 
ransomware code by using anonymizing services like “Тог ” for end-to-end communication to 
infected systems and Bitcoin virtual currency to collect ransom payments. Currently, the top 
five ransomware variants targeting U.S. companies and individuals are CryptoWall, CTB- 
Locker, TeslaCrypt, MSIL/Samas, and Locky. New ransomware variants are continually 
emerging. 


Cryptowoali 
Herd and its variants have been actively used to target U.S. victims since April 2014. 
CryptoWall was the first ransomware variant that only accepted ransom payments in Bitcoin. 
The ransom amounts associated with CryptoWall are typically between $200 and $10,000. 
Following the takedown of the CryptoLocker botnet, CryptoWall has become the most 
successful ransomware variant with victims all over the world. Between April 2014 and June 


"Forn more information on ои variants and other resources, visit 52 


3 Tor is free software for r anonymous communication. Tor directs Internet traffic through a free, 
worldwide, volunteer network consisting of more than 7,000 relays to conceal a user's location and usage from 
anyone conducting network surveillance or traffic analysis. (The name derives from the original software project 
name, The Onion Router.) 


2015, IC3 received 992 CryptoWall-related complaints, with victims reporting losses totaling 
over $18 million.* CryptoWall is primarily spread via spam email but also infects victims 
through drive-by downloads? and malvertising$. 


CIB-Locker 


CTB-Locker emerged in June 2014 and is one of the first ransomware variants to use Tor for 
its C2 infrastructure. CTB-Locker uses Tor exclusively for its C2 servers and only connects to 
the C2 after encrypting victims' files. Additionally, unlike other ransomware variants that utilize 
the Tor network for some communication, the Tor components are embedded in the CTB- 
Locker malware, making it more efficient and harder to detect. CTB-Locker is spread through 
drive-by downloads and spam emails. 


TeslaCnypi 


TeslaCrypt emerged in February 2015, initially targeting the video game community by 
encrypting gaming files. These files were targeted in addition to the files typically targeted by 
ransomware (documents, images, and database files). Once the data was encrypted, 
TeslaCrypt attempted to delete all Shadow Volume Copies and system restore points to 
prevent file recovery. TeslaCrypt was distributed through the Angler, Sweet Orange, and 
Nuclear exploit kits. 


MSIL or Samas SAMSAM} 


MSIL or Samas (SAMSAM) was used to compromise the networks of multiple U.S. victims, 
including 2016 attacks on healthcare facilities that were running outdated versions of the 
JBoss content management application. SAMSAM exploits vulnerable Java-based Web 
servers. SAMSAM uses open-source tools to identify and compile a list of hosts reporting to 
the victim's active directory. The actors then use psexec.exe to distribute the malware to each 
host on the network and encrypt most of the files on the system. The actors charge varying 
amounts in Bitcoin to provide the decryption keys to the victim. 


Locky 


In early 2016, a destructive ransomware variant, Locky, was observed infecting computers 
belonging to businesses globally, including those in the United States, New Zealand, Australia, 
Germany and the United Kingdom. Locky propagates through spam emails that include 
malicious Microsoft Office documents or compressed attachments (е.9., .rar, .zip) that were 
previously associated with banking Trojans such as Dridex and Pony. The malicious 
attachments contain macros or JavaScript files to download the Locky files. Recently, this 
ransomware has also been distributed using the Nuclear Exploit Kit. 


^ This number includes additional costs incurred by the victim. Expenses may be associated with network 
mitigation, network countermeasures, loss of productivity, legal fees, IT services, and the purchase of credit 
monitoring services for employees or customers. 

` Drive by download" is the transfer of malicious software to the victim's computer without the knowledge of or any 
action by the victim. 

А "Malvertizing," is the use of malicious ads on legitimate websites. These malicious ads contain code that will 
infect a user's computer without any action from the user (i.e., the user does not have to click on the ad to 
become infected). 


Links to Other Types of Malware 


Systems infected with ransomware are also often infected with other malware. In the case of 
CryptoLocker, a user typically was infected by opening a malicious attachment from an email. 
This malicious attachment contained Upatre, a downloader, which infected the user with 
GameOver Zeus. GameOver Zeus was a variant of the Zeus Trojan used to steal banking 
information and other types of data. After a system became infected with GameOver Zeus, 
Upatre would also download CryptoLocker. Finally, CryptoLocker encrypted files on the 
infected system and demanded a ransom payment. 


The disruption operation against the GameOver Zeus botnet also affected CryptoLocker, 
demonstrating the close ties between ransomware and other types of malware. In June 2014, 
an international law enforcement operation successfully weakened the infrastructure of both 
GameOverZeus and CryptoLocker. 
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Federal Bureau of investigation 
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Alert Number 


MC-000081-MW 


If you find any of these 
indicators on your 
networks, or have 

related information, 
please contact FBI 

CYWATCH immediately. 


Email: 
eywatch@ic.folpov 


Phone: 
1-855-292-3937 


*Note: By reporting any related 


information to FBI CyWatch, 
you are assisting in sharing 
information that allows the FBI 
to track malicious actors and 
coordinate with private 
industry and the United States 
Government to prevent future 
intrusions and attacks. 


Indicators Associated With WannaCry Ransomware 


This is a joint product with the Department of Homeland Security. 


In furtherance of public-private partnerships, the FBI routinely advises private 
industry of various cyber threat indicators observed during the course of our 
investigations. This data is provided in order to help cyber security 
professionals and system administrators guard against the persistent malicious 
actions of cyber criminals. 


This FLASH has been released TLP: WHITE: This information may be distributed 
without restriction. 


Summary 


According to numerous open-source reports, a widespread ransomware campaign 
is affecting various organizations with reports of tens of thousands of infections in 
as many as 99 countries, including the United States, United Kingdom, Spain, 
Russia, Taiwan, France, and Japan. The software can run in as many as 27 different 
languages. The latest version of this ransomware variant, known as WannaCry, 
WCry, or Wanna Decryptor, was discovered the morning of May 12, 2017, by an 
independent security researcher and has spread rapidly over several hours, with 
initial reports beginning around 4:00 AM EDT, May 12, 2017. Open-source 
reporting indicates a requested ransom of .1781 bitcoins, roughly $300 U.S. 


Technical Details 


Initial reports indicate the hacker or hacking group behind the WannaCry campaign 
is gaining access to enterprise servers either through Remote Desktop Protocol 
(RDP) compromise or through the exploitation of a critical Windows SMB 
vulnerability. Microsoft released a security update for the MS17-010 vulnerability 
on March 14, 2017. According to open sources, one possible infection vector is via 
phishing emails. 


The WannaCry ransomware received and analyzed by US-CERT is a loader that 
contains an AES-encrypted DLL. During runtime, the loader writes a file to disk 
named “t.wry”. The malware then uses an embedded 128-bit key to decrypt this 
file. This DLL, which is then loaded into the parent process, is the actual Wanna Cry 
Ransomware responsible for encrypting the user’s files. Using this cryptographic 
loading method, the WannaCry DLL is never directly exposed on disk and not 
vulnerable to antivirus software scans. 


The information in this FLASH was obtained through an ЕНІ investigation and is provided in conjunction with 
the FRI’s statutory requirement to conduct victim notification as outlined in 42 USC 5 10607 
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The newly loaded DLL immediately begins encrypting files on the victim’s system 


and encrypts the user’s files with 128-bit AES. A random key is generated for the 
encryption of each file. 


The malware also attempts to access the IPCS shares and SMB resources the victim 
system has access to. This access permits the malware to spread itself laterally on a 
compromised network. However, the malware never attempts to attain a password 
from the victim’s account in order to access the IPCS share. 


This malware is designed to spread laterally on a network by gaining unauthorized 


access to the IPCS share on network resources on the network on which it is 
operating. 


The information in this FLASH was obtained through an ЕНІ investigation and is provided in conjunction with 
the FRI’s statutory requirement to conduct victim notification as outlined in 42 USC 5 10607 
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TLP: WHITE 


Federal Bureau of Investigation, Cyber Division 
Flash Notification 


Confirmed indicators: 


SHA-256 Hashes: 
24d004a104d4d54034dbcffc2a4b19a11f39008a5 75aa614ea04703480b1022c 


043e0d0d8b8cda56851f5b853f244f677bd1fd50f869075ef7ba1110771f70c2 
5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc7 1dff22813595c0b9 
76a3666ce9119295104bb69ee72af3f2845d23f40ba48ace7987f79b06312bbdf 
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844 
f7c7b5e4b051ea5bd0017803f40af13bed224c4bOfd60b890b6784df5bd63494 
fc626fe1e0f4d77b34851a8c60cdd11172472da3b9325bfe288ac8342f6c710a 
09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa 
aee20f9188a5c3954623583c6b0e6623ec90d5cd3fdec4e1001646e27664002c 
c365ddaa345cfcaff3d629505572a484cff5221933d68e4a52130b8bb7badaf9 
edO1ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa 
b9c5d4339809 e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25 


File name: 
@WanaDecryptor@.exe 


Yara Signatures 


rule Wanna Cry Ransomware Generic { 


meta: 
description = "Detects WannaCry Ransomware on disk and in virtual page" 
author = "US-CERT Code Analysis Team" 
reference = "not set" 
date = "2017/05/12" 
hashO = "4DA1F312A214C07143ABEEAFB695D904" 
strings: 
$s0 = (41004400400049004Е0024) 
551 = "WannaDecryptor" 
$s2 = "WANNACRY" 
$s3 = "Microsoft Enhanced RSA and AES Cryptographic" 
$s4 = "PKS" 
$s5 = "StartTask" 
$s6 = "wcryQ123" 
$s7 = (2F6600002F72) 
$s8 = "unzip 0.15 Copyrigh" 
condition: 


$s0 and 551 and 552 and 553 or $s4 or 555 or 556 or $57 or 558 
} 
/*The following Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and 
open to any user or organization, as long as you use it under this license. 
rule М517 010 WanaCry worm { 

meta: 
description = "Worm exploiting MS17-010 and dropping WannaCry Ransomware" 
author = "Felipe Molina (@felmoltor)" 


The information in this FLASH was obtained through an FBI investigation and is provided in conjunction with 
the FRI’s statutory requirement to conduct victim notification as outlined in 42 USC 5 10607 
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reference - "https://www.exploit-db.com/exploits/41987/" 
date = "2017/05/12" 

strings: 

$ms17010 вегі-"РС NETWORK PROGRAM 1.0" 

$ms17010 str2="LANMAN1.0" 

$ms17010 str3-"Windows for Workgroups 3.1а" 

$ms17010 str4-" TREEID PLACEHOLDER " 

$ms17010 str5=" USERID PLACEHOLDER " 

$wannacry payload substrl "h6agLCqPqVyXi2VSQ806Yb9ijBX54j" 

$wannacry payload substr2 "h5AWf£fF9cGigWFEx92bzmOd0OUOaZzl1M" 

Swannacry payload substr3 "tpGFEOLOU6+5178Toh/nHs/RAP" 
condition: Ж 2 

all of them 


Recommended Steps for Prevention 

e Apply the Microsoft patch for the MS17-010 SMB vulnerability dated March 14, 2017. 

e Enable strong spam filters to prevent phishing e-mails from reaching the end users and authenticate in-bound 
e-mail using technologies like Sender Policy Framework (SPF), Domain Message Authentication Reporting and 
Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent e-mail spoofing. 

e 5сап а! incoming and outgoing e-mails to detect threats and filter executable files from reaching the end 
users. 

e Ensure anti-virus and anti-malware solutions are set to automatically conduct regular scans. 

e Manage the use of privileged accounts. Implement the principle of least privilege. No users should be assigned 
administrative access unless absolutely needed. Those with a need for administrator accounts should only use 
them when necessary. 

e Configure access controls including file, directory, and network share permissions with least privilege in mind. 
If a user only needs to read specific files, they should not have write access to those files, directories, or 
shares. 

е Disable macro scripts from Microsoft Office files transmitted via e-mail. Consider using Office Viewer software 
to open Microsoft Office files transmitted via e-mail instead of full Office suite applications. 

e Develop, institute and practice employee education programs for identifying scams, malicious links, and 
attempted social engineering. 

e Have regular penetration tests run against the network, no less than once a year, and ideally, as often as 
possible/practical. 

e Test your backups to ensure they work correctly upon use. 


Recommended Steps for Remediation 
e Contactlaw enforcement. We strongly encourage you to contact a local FBI field office upon discovery to 
report an intrusion and request assistance. Maintain and provide relevant logs. 
e Implement your security incident response and business continuity plan. Ideally, organizations should ensure 
they have appropriate backups so their response is simply to restore the data from a known clean backup. 


Defending Against Ransomware Generally 
Precautionary measures to mitigate ransomware threats include: 


e Ensure anti-virus software is up-to-date. 


The information in this FLASH was obtained through an ЕНІ investigation and is provided in conjunction with 
the FRI’s statutory requirement to conduct victim notification as outlined in 42 USC 5 10607 
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e Implement a data back-up and recovery plan to maintain copies of sensitive or proprietary data in a separate 
and secure location. Backup copies of sensitive data should not be readily accessible from local networks. 


е  Scrutinize links contained in e-mails, and do not open attachments included in unsolicited e-mails. 


e Only download software — especially free software — from sites you know and trust. 
e Enable automated patches for your operating system and Web browser. 


Reporting Notice 


The FBI encourages recipients who identify the use of tool(s) or techniques discussed in this document to report 
information to their local FBI field office or the FBI’s 24/7 Cyber Watch (CyWatch). Field office contacts can be 
identified at www.fbi.gov/contact-us/field. CyWatch can be contacted by phone at 855-292-3937 or by e-mail at 
CyWatch @ic.fbi.gov. When available, each report submitted should include: the date; time; location; type of activity; 
number of infected users; type of equipment used for the activity; name of the submitting company or organization; 
and a designated point of contact. 


duct of value to 


The information in this FLASH was obtained through an ЕНІ investigation and is provided in conjunction with 
the FRI’s statutory requirement to conduct victim notification as outlined in 42 USC 5 10607 
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Alert Number 


MI-000082-MW 


these indicators on 
your networks, or 
have related 
information, please 
contact 
FBI CYWATCH 
immediately. 
Email: 
cywatch @ic.thi.gov 


Phone: 
1-855-292-3937 


*Note: By reporting any related 
information to FBI CyWatch, 
you are assisting in sharing 
information that allows the FBI 
to track malicious actors and 
coordinate with private industry 
and the United States 
Government to prevent future 
intrusions and attacks. 


The following information is being provided by the FBI for potential 
use at the sole discretion of recipients to protect against cyber threats. 
This data is provided to help cyber security professionals and system 
administrators guard against the persistent malicious actions of cyber 
criminals. 


This FLASH has been released ЦЕ and may be distributed 
without restriction, subject to copyright controls. 


Indicators Associated with Ransomware Attack 
Potentially Modeled after Petya 


Summary 


According to numerous open-source reports, a widespread 
ransomware campaign is affecting various organizations in the United 
States, France, India, Russia, Spain, Ukraine, and the United Kingdom. 
Initial open-source reporting detailed a potential variant of the Petya 
ransomware was being utilized in the attack and demanded a ransom 
of $300 US worth of bitcoin. 


Technical Details 


Open-source reports indicate the new ransomware employs the same 
EternalBlue exploit used by WannaCry ransomware, allowing it to 
spread quickly and infect additional systems. Published by the Shadow 
Brokers in April 2017, the vulnerability targets Windows’ SMB file- 
sharing system. Microsoft issued a patch for the MS17-010 SMB 
vulnerability on March 14, 2017. In addition to leveraging the Service 
Message Block (SMB) vulnerability, the ransomware also uses 
wmic/PSExec to move between computers on a local network. 


A variant of the Petya ransomware was potentially used in the attack, 
according to open-source reporting. Petya ransomware was first 
discovered in 2016 and operated atypically from previous known 
ransomware variants by overwriting the Master Boot Record (MBR) 


TLP: WHITE 


and encrypting the Master File Table (MFT), instead of encrypting 
individual files. While using a very similar method to overwrite the 
MBR and load a custom boot loader, the new variant also performs 
user mode encryption of select file extensions on individual files. 
Further open-source reporting indicated the ransomware attack could 
be the result of a new ransomware variant, different from Petya. 


Confirmed Indicators 


Hashes 
34f917aabas5684fbe56d3c57dA48Sef2aiaa7cfO6d 


9717cídc2d023812dbc8423941674eb23a2a8ef06 
388e2855e11e353cedí9a8a41212747f1c5c07fcf 
56c03d8e43150568741704aee482704a415005ad 


Contact Email 
wowsmithi123456(9posteo.net 


ITLP:WHITE 


Recommended Steps for Prevention 


Apply the Microsoft patch for the MS17-010 SMB vulnerability dated March 14, 2017. 

Enable strong spam filters to prevent phishing e-mails from reaching the end users and 
authenticate in-bound e-mail using technologies like Sender Policy Framework (SPF), Domain 
Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified 
Mail (DKIM) to prevent e-mail spoofing. 

Scan all incoming and outgoing e-mails to detect threats and filter executable files from 
reaching the end users. 

Ensure anti-virus and anti-malware solutions are set to automatically conduct regular scans. 
Manage the use of privileged accounts. Implement the principle of least privilege. No users 
should be assigned administrative access unless absolutely needed. Those with a need for 
administrator accounts should only use them when necessary. 

Configure access controls including file, directory, and network share permissions with least 
privilege in mind. If a user only needs to read specific files, they should not have write access 
to those files, directories, or shares. 

Disable macro scripts from Microsoft Office files transmitted via e-mail. Consider using Office 
Viewer software to open Microsoft Office files transmitted via e-mail instead of full Office 
suite applications. 

Develop, institute and practice employee education programs for identifying scams, malicious 
links, and attempted social engineering. 

Have regular penetration tests run against the network no less than once a year and, ideally, 
as often as possible/practical. 

Test your backups to ensure they work correctly upon use 


Recommended Steps for Remediation 


Contact law enforcement. We strongly encourage you to contact a local FBI field office upon 
discovery to report an intrusion and request assistance. Maintain and provide relevant logs. 
Implement your security incident response and business continuity plan. Ideally, 
organizations should ensure they have appropriate backups so their response is simply to 
restore the data from a known clean backup. 


Defending Against Ransomware Generally 


Precautionary measures to mitigate ransomware threats include: 
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e Ensure anti-virus software is up-to-date. 


е Implement a data back-up and recovery plan to maintain copies of sensitive or proprietary 
data in a separate and secure location. Backup copies of sensitive data should not be readily 
accessible from local networks. 


e Scrutinize links contained in e-mails, and do not open attachments included in unsolicited e- 
mails. 


е Only download software - especially free software — from sites you know and trust. 
e Enable automated patches for your operating system and Web browser. 


Reporting Notice 


The FBI encourages recipients of this document to report information concerning suspicious or criminal 
activity to their local FBI field office or the FBI’s 24/7 Cyber Watch (CyWatch). Field office contacts can be 
identified at www.fbi.gov/contact-us/fieid. CyWatch сап be contacted by phone at (855) 292-3937 or by 
e-mail at Су асы ют воў. When available, each report submitted should include the date, time, 
location, type of activity, number of people, and type of equipment used for the activity, the name of the 
submitting company or organization, and a designated point of contact. Press inquiries should be directed 
to the FBI’s National Press Office at про іс ЯЯ лом ог (202) 324-3691. 


Administrative Note 


This product is marked ШС and may be distributed without restriction, subject to copyright 
controls. 


For comments or questions related to the content or dissemination of this product, contact 
CyWatch. 


TLP: WHITE 


ITLP:WHITE 


NENNEN lamp) (CON) b6 


ь7с 
From: CYWATCH 
Sent: Monday, July 03, 2017 3:05 PM 
Cc: CYWATCH 
Subject: FLASH MI-000082-MW (TLP:WHITE) 
Attachments: Petya-Petrwrap FLASH, 07-03-17 FINAL 005.pdf; TLP-WHITE-MI-000082-MW-All.xml 
Categories: Complete 


ALCON, 


Please see the attached FBI Liaison Alert System (FLASH) MI-000082-MW uia ИЗ, Indicators Associated With 
Ransomware Attack Potentially Modeled after Petya. 


FLASH MI-000082-MW is being disseminated to confirm indicators for the private sector. 


This product is marked ЦЕ 1315. This information may be distributed without restriction, subject to copyright 
controls. 


Respectfully, 


CyWatch 
1-855-292-3937 
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Case ID #: (U) FBI Liaison Alert System (FLASH) 

Messages 
Synopsis: (0/1266) On behalf of MCCIU ІІ, CyWatch disseminated FBI 
Liaison Alert System (FLASH) Message: b7E 


on 15 SEP 2017. 
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Alert Number 


these indicators on 
your networks, or 
have related 
information, please 
contact 
FBI CYWATCH 
immediately. 
Email: 
cywatch @ic.thi.gov 


Phone: 
1-855-292-3937 


*Note: By reporting any related 
information to FBI CyWatch, 
you are assisting in sharing 
information that allows the FBI 
to track malicious actors and 
coordinate with private industry 
and the United States 
Government to prevent future 
intrusions and attacks. 


The following information is being provided by the FBI, with no guarantees 
or warranties, for potential use at the sole discretion of recipients in order 
to protect against cyber threats. This data is provided to help cyber security 


professionals and system administrators guard against the persistent 
malicious actions of cyber criminals. 


This FLASH has been released НЕ ЯЗ Recipients may only share 
ЯЯ information with members of their own organization, and with 


clients or customers who need to know the information to protect 
themselves or prevent further harm. 


TLP:AMBER 


b7E 


b7E 


Reporting Notice 

The FBI encourages recipients of this document to report information 
concerning suspicious or criminal activity to their local FBI field office or the 
FBI’s 24/7 Cyber Watch (CyWatch). Field office contacts can be identified at 
www.fbi.gov/contact-us/field. CyWatch сап be contacted by phone at (855) 
292-3937 or by e-mail at буа іс Їві вом. When available, each report 
submitted should include the date, time, location, type of activity, number 
of people, and type of equipment used for the activity, the name of the 
submitting company or organization, and a designated point of contact. 


TLP:AMBER 


b7E 


Press inquiries should be directed to the FBI’s National Press Office at 
npoic.fbi.gov ог (202) 324-3691. 


Administrative Note 


This product is marked { ЖАШАН. Recipients may only share 119 
information with members of their own organization, and with clients or 


customers who need to know the information to protect themselves or 
prevent further harm. Sources are at liberty to specify additional intended 
limits of the sharing: these must be adhered to. 


TLP:AMBER 


TLP:AMBER 
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Case ID #: (U) FBI Liaison Alert System (FLASH) 

Messages 
Synopsis: (о/о). qm behalf of MCCIU II, CyWatch disseminated FBI 
Liaison Alert System (FLASH) Message: b7E 
on 29 


September 2017. 


** 


C MD) (CON) 


From: CYWATCH 

Sent: Friday, September 29, 2017 4:42 PM 
Cc: CYWATCH 

Subject: 

Attachments: 

Categories: Complete 


ALCON, 


Please see the attached FBI Liaison Alert System ан] 
[is being disseminated for your situational awareness. 


This product is marked 715: АМЕ. Recipients may only share this information with members of their own organization 
who need to know, and only as widely as necessary to act on that information. 


Respectfully, 


CyWatch 
1-855-292-3937 
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Case ID #: (U) FBI Liaison Alert System (FLASH) 

Messages 
Synopsis: (0//2566) On behalf of MCCIU II, CyWatch disseminated FBI 


Liaison Alert System (FLASH) Message: 
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ОМСГАЗЗІҒІЕр//ВЭЧб 
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Alert Number 
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If you find a any of 
these indicators on 
your networks, or 
have related 
information, please 
contact 
FBI CYWATCH 
immediately. 
Email: 
сумаїстібіс Пі. gov 


Phone: 
1-855-292-3937 


*Note: By reporting any 
related information to ЕВ! 
CyWatch, you are assisting 
in sharing information that 

allows the FBI to track 

malicious actors and 
coordinate with private 
industry and the United 

States Government to 

prevent future intrusions and 
attacks. 


The following information is being provided by the FBI, with no 
guarantees or warranties, for potential use at the sole discretion of 
recipients in order to protect against cyber threats. This data is 
provided to help cyber security professionals and system administrators 
guard against the persistent malicious actions of cyber criminals. 


This FLASH has been released 9933} The information in this 
product is useful for the awareness of all participating organizations 


within their sector or community, but should not be shared via publicly 
accessible channels. 


Summary 


This communication is intended to aras: information released in previous 


The FBI is providing the following information with HIGH confidence: 


Technical Details 


ы) 


b7E 


b7E 


b7E 


b7E 


b7E 


b7E 


b7E 


Ь7Е 


b7E 


b7E 


LP: GREEN 


b7E 


Recommended Mitigations 


b7E 


This product is marked HEC. Recipients may share ЦЕНЗ 
information with peers and partner organizations within their sector or 


community, but not via publicly accessible channels. Information in this 


category can be circulated widely within a particular community. ЯЗ 
information may not be released outside of the community. 
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Case ID d: (U) FBI Liaison Alert System (FLASH) 
Messages 


Synopsis: (U/ ESO) On behalf of MECIU, CyWatch disseminated FBI 
Liaison Alert System (FLASH) Message: ME-000092-TT, Malicious cyber 


activity of Iran-based Mabna Institute. 
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ОМСГАЗЗТЕТЕР/ / 25. 


23 MAR 2018 


Alert Number 


ME-000092-TT 


these indicators on 

your networks, or 
have related 

information, please 


contact 


FBI CYWATCH 
immediately. 


Email: 


cywatch@ic.fhi вом 


Phone: 


1-855-292-3937 


*Note: By reporting any 
related information to FBI 
CyWatch, you are assisting in 
sharing information that 
allows the FBI to track 
malicious actors and 
coordinate with private 
industry and the United 
States Government to 
prevent future intrusions and 


attacks. 


The following information is being provided by the FBI, with no 
guarantees or warranties, for potential use at the sole discretion of 
recipients in order to protect against cyber threats. This data is provided 
in order to help cyber security professionals and system administrators 
to guard against the persistent malicious actions of cyber criminals. 


This FLASH has been released ШШ Subject to standard copyright 
rules, ШОД information may be distributed without restriction. 


Malicious cyber activity of Iran-based Mabna 
Institute 


Summary 

According to information derived from an FBI investigation, a group of 
malicious cyber actors working for the Iran-based Mabna Institute 
(Mabna) have been conducting coordinated and broadly targeted 
password spray attacks against organizations in the United States and 
abroad. Victims of Mabna often lack multi-factor authentication (MFA), 
lack preventative network activity alerts, and allow easy-to-guess 
passwords (e.g., "Winter2018", "Password123!"). 


Nine Mabna Institute actors were indicted by the Department of Justice 
in the Southern District of New York in February 2018, for computer 
intrusion offenses related to the activity described in this report. The 
techniques and activity described herein, while characteristic of Mabna 
actors, are not solely used by this group. 


Mabna targets companies using single sign-on (SSO) and cloud-based 
applications utilizing federated authentication protocols. While many 
SSO and cloud-based applications offer federated authentication 
protocols, Mabna has focused their efforts on victims hosted on 
Microsoft Office 365 (O365). After successfully compromising victims, 
Mabna actors likely utilize inbox synchronization to obtain unauthorized 
access to the organization's email directly from the cloud which 
subsequently allows for the download of user mail to locally stored email 


ТЕР: WHITE 


files (.PST). In addition, Mabna often surreptitiously implements inbox 
rules for the forwarding of sent and received messages through the use 
of synchronization functionality in email clients like Microsoft Outlook. 


Technical Details 

During a password spray attack, a malicious actor attempts a single 
password against a population of accounts before moving on to attempt 
a second password against the accounts, and so on. This technique 
allows the actor to remain undetected by avoiding account lockouts. 
Traditional Tactics, Techniques, and Procedures (TTP's) for conducting 
the password-spray attacks are as follows: 


Perform online research (i.e., Google search, Linkedln, etc.) to 
identify target organizations and specific user accounts for initial 
password spray 


Using easy-to-guess passwords (e.g., "Winter2018", 
“Password123!”) and publicly available tools, execute a password 
spray attack against targeted accounts by utilizing the identified 
SSO or web-based application and federated authentication 
method 


Leveraging the initial group of compromised accounts, download 
the Global Address List (GAL) from a target's email client, and 
perform a larger password spray against legitimate accounts 


Using the compromised access, malicious actors attempt to 
expand laterally (e.g., via Remote Desktop Protocol) within the 
network, and perform mass data exfiltration using File Transfer 
Protocol tools such as Filezilla 


Indicators of a password spray attack include: 


A massive spike in attempted logons against the enterprise SSO 
Portal or web-based application. Using automated tools, 
malicious actors attempt thousands of logons, in rapid succession, 


ТЕР: WHITE 


against multiple user accounts at a victim enterprise, originating 
from a single IP address and computer (e.g., a common User 
Agent String). Attacks have been seen to run for over two hours 


e Employee logons from IP addresses resolving to locations 
inconsistent with their normal locations 


Mabna Intrusion Activity 

The FBI notes that Mabna has conducted password spray attacks and 
malicious activity from hundreds of IP addresses. Additionally, Mabna is 
known to mask their true location through the use of various VPN 
providers including, but not limited to, IPVanish. 


The FBI also notes that Mabna may have compromised organizations 
with MFA in place. An attacker can perform a password spray attack 
against an MFA-protected protocol, confirm a legitimate user ID and 
password combination, but generally is unable to defeat the secondary 
authentication protocol. However, the attacker can then take a verified 
user ID and password combination, search for other lesser used 
protocols that may not have MFA covering them, and attempt to gain 
unauthorized access. 


Mabna targets SSO and web-based applications because the single point- 
of-compromise typically yields access to large amounts of intellectual 
property. Specifically targeting SSO and web-based applications utilizing 
the federated authentication method, Mabna actively identifies 
companies lacking the following common security settings: 


a) Absent specific configuration by the customer, event logging 
available to the customer can be limited for post-incident 
response and investigation 


b) Absent specific additional technology, the authentication 
software, most commonly Active Directory Federated Services 
(ADFS), has limited capability to defend against various brute 
force-style attacks, such as password spray attacks 


ТЕР: WHITE 


C) Absent specific configuration by the customer, most commonly 
the IP address captured by ADFS would be the SSO or web-based 
application IP address and not the source IP address of the 
malicious actor 


Typical Victim Environment 
While Mabna has been seen to target different environments, the vast 
majority of known victims share the following similar profile: 


Use O365 or Outlook with the federated authentication method, 
and lack MFA protocol 


Allow easy-to-guess passwords (e.g., "Winter2018", 
"Password123!") 


Use inbox synchronization allowing email to be pulled from the 
Microsoft cloud to a remote device 


Allow email forwarding to be setup at the user level 


Limited logging setup with Microsoft, creating difficulty during 
post-event investigations 


Recommended Mitigations 
To help deter this style of attack, the following steps should be taken: 


Enable MFA and review MFA settings to ensure coverage over all 
active, internet facing protocols 


Review password policies to ensure they align with the latest NIST 
guidelines and deter the use of easy-to-guess passwords 


Review IT Helpdesk password management related to initial 
passwords, password resets for user lockouts, and shared 
accounts. IT Helpdesk password procedures may not align to 
company policy, creating a security gap Mabna can exploit 


ТЕР: WHITE 


On March 5, 2018, Microsoft released an article highlighting the dangers 
of password spray attacks, along with the tools they currently offer or 
will offer in 2018, to defend against this style of attack. The FBI has 
included the article to allow Microsoft customers the opportunity to 
review and consider implementing the available tools to better detect 
and prevent password spray attacks: 


httns://cloudblogs.microsoft.com/enternrisemobility/2018/03/O0S/azure- 
ad-and-adfs-best-practices-defending-against-password-soray-attacks/ 


Reporting Notice 

The FBI encourages recipients of this document to report information 
concerning suspicious or criminal activity to their local FBI field office or 
the FBI’s 24/7 Cyber Watch (CyWatch). Field office contacts can be 
identified at малку бі. gov/contact-us/field. CyWatch can be contacted 
by phone at (855) 292-3937 or by e-mail at Cy Watch @ic.fbl gov. When 
available, each report submitted should include the date, time, location, 
type of activity, number of people, and type of equipment used for the 
activity, the name of the submitting company or organization, and a 
designated point of contact. Press inquiries should be directed to the 
FBI’s national Press Office at пробіс ої. вом ог (202) 324-3691. 


Administrative Note 


This product is marked Ш VII Subject to standard copyright rules, 
Wea information may be distributed without restriction. 
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17 APRIL 2018 


Alert Number 


these indicators on 
your networks, or 
have related 
information, please 
contact 
FBI CYWATCH 
immediately. 
Email: 
cywatch @ic.thi.gov 


Phone: 
1-855-292-3937 


*Note: By reporting any related 
information to FBI CyWatch, 
you are assisting in sharing 
information that allows the FBI 
to track malicious actors and 
coordinate with private industry 
and the United States 
Government to prevent future 
intrusions and attacks. 


The following information is being provided by the FBI, with no 
guarantees or warranties, for potential use at the sole discretion of 
recipients in order to protect against cyber threats. This data is 
provided in order to help cyber security professionals and system 


administrators to guard against the persistent malicious actions of BTE 
cyber criminals. 


This product is marked ITLP:AMBER] Recipients may only share 
ТЕР:АМВЕВ formation with members of their own organization, and 
with clients or customers who need to know the information to 
protect themselves or prevent further harm. 


b7E 


TLP:AMBER 


b7E 


Reporting Notice 

The FBI encourages recipients of this document to report information 
concerning suspicious or criminal activity to their local FBI field office 
or the FBI’s 24/7 Cyber Watch (CyWatch). Field office contacts can be 
identified at www.fbi.sovícontact-us/fieid. CyWatch сап be contacted 
by phone at (855) 292-3937 or by e-mail at Cy Watch іс Бом. 
When available, each report submitted should include the date, time, 
location, type of activity, number of people, and type of equipment 
used for the activity, the name of the submitting company or 
organization, and a designated point of contact. Press inquiries should 
be directed to the FBI’s National Press Office at про с. дом or 
(202) 324-3691. 


Administrative Note 

This product is marked TLP:AMBERI Recipients may only share 
ТЇР:АМВЕВ ormation with members of their own organization, and 
with clients or customers who need to know the information to 
protect themselves or prevent further harm. 
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Alert Number 


these indicators on 
your networks, or 
have related 
information, please 
contact 
FBI CYWATCH 
immediately. 
Email: 
cywatchefbi.gov 


Phone: 
1-855-292-3937 


*Note: By reporting any related 


information to FBI CyWatch, 
you are assisting in sharing 
information that allows the FBI 
to track malicious actors and 
coordinate with private 
industry and the United States 
Government to prevent future 
intrusions and attacks. 


The following information is being provided by the FBI, with no guarantees or 
warranties, for potential use at the sole discretion of recipients in order to 
protect against cyber threats. This data is provided to help cyber security 
professionals and system administrators to guard against the persistent 


b7E 
malicious actions of cyber criminals. 
This FLASH has been released [ERR SETS. The information in this product is 
useful for the awareness of all participating organizations within their sector 
or community, but should not be shared via publicly accessible channels. 
b7E 


TLP:AMBER 


b7E 


Reporting Notice 

The FBI encourages recipients of this document to report information 
concerning suspicious or criminal activity to their local FBI field office or the 
FBI’s 24/7 Cyber Watch (CyWatch). Field office contacts can be identified at 
www fol gov/contact-us/field 
292-3937 or by e-mail at ¢ fbigov. When available, each report 
submitted should include the date, time, location, type of activity, number of 
people, and type of equipment used for the activity, the name of the 
submitting company or organization, and a designated point of contact. 
Press inquiries should be directed to the FBI’s national Press Office at 


npoic.fbi.gov or (202) 324-3691. 


Administrative Note 


This product is marked ВН. Recipients may only share Ва 
information with members of their own organization, and with clients or 


customers who need to know the information to protect themselves or 
prevent further harm. 


For comments or questions related to the content or dissemination of this 
product, contact CyWatch. 
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Messages 

Synopsis: (50/7240) On behalf of ECOU 2, CyWatch disseminated FBI 
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Liaison Alert System (FLASH) Message: 
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| lamp) (CON) ЕИ 


From: CYWATCH 
Sent: Wednesday, May 23, 2018 4:43 PM 
Cc: CYWATCH 


Subject: FLASH TLP: GREEN b7E 
Attachments: 


Please see the attached FBI Liaison Alert System (FLASH) b7E 
; Я я : . £ b7E 
[ —— | being disseminated for your situational awareness. 


This product is marked ТІС: GREEN. The information in this product may be shared with peers and partner organizations 


within their sector or community, but not via publicly accessible channels. 


Respectfully, 


CyWatch 
1-855-292-3937 
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Synopsis: (U/ CyWatch disseminated FBI Liaison Alert System 
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16 November 2017. 
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(IMD) (CON) ая 


Егот: CYWATCH 

Sent: Thursday, November 16, 2017 10:51 AM 

Cc: CYWATCH 

Subject: BUE 
Attachments: 

Categories: Complete 


ALCON, 


Please see the attached FBI Liaison Alert System (ыҺянНГ з 


This FLASH is a limited distribution FLASH message. 


FLASHT fs being disseminated for limited distribution г 1] b7E 


This product is marked 212: АМ ВСВ. Recipients may only share this information with members of their own organization 
who need to know, and only as widely as necessary to act on that information. 


b7E 


Respectfully, 


CyWatch 
1-855-292-3937 
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Case ID Й: (U) FBI Liaison Alert System (FLASH) 
Messages 
Synopsis: (0// CyWatch disseminated FBI Liaison Alert System 
(FLASH) Message: b7E 


С] ов December 2017. 


** 
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| |a MD) (CON) цай 


Егот: СУМАТСН 
Sent: Wednesday, December 06, 2017 1:10 PM 


Cc: CYWA 
Subject: FLASH TLP: GREEN) БТЕ 


ALCON, 


[is being disseminated for your situational awareness. b7E 


This product is marked ТІР: GREEN. The information in this product is useful for the awareness of all participating 
organizations within their sector or community; however, this information should not be shared via publicly accessible 
channels. The STIX attachment is marked 712; AMBER. Recipients may only share this information with partners who 


need to know, and only as widely as necessary to act on that information. 
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Respectfully, 


CyWatch 
1-855-292-3937 
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From: CYWATCH 
Sent: Thursday, March 01, 2018 4:06 PM 
Cc: CYWATCH 


Subject: FLASH TLP: GREEN b7E 
Attachments: 


ALCON, 


Please see the attached FBI Liaison Alert б зані нан а ЬТЕ 
(Фр being disseminated for your situational awareness. b7E 


№. The information in this product may be shared with peers and partner organizations 


ху 


This product is marked ТЇР: SREE! 
within their sector or community, but not via publicly accessible channels. 


Respectfully, 


CyWatch 
1-855-292-3937 


